POST

I have a terraform deployment which runs in azure pipeline. Azure pipelines is connected to Azure via a service connection. This service connection is registered as an application in the Azure AD of the Azure account. The problem I constantly run into is that I can't remember which id from the application should be granted keyvault access so the build pipeline can read and write to keyvault.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

resource "azurerm_key_vault_access_policy" "terraformaccess" {
  key_vault_id = azurerm_key_vault.keyvault.id

  tenant_id = local.tenant_id
  object_id = ???????????????????

  key_permissions = [
    "Get",
    "Create",
    "List",
    "Update",
    "Verify",
    "Delete",
    "WrapKey",
    "UnwrapKey"
  ]

  secret_permissions = [
    "Get",
    "List",
    "Set"
  ]

  storage_permissions = [
    "Get",
    "List",
    "Set",
    "Update"
  ]
}

Maybe the value is in the portal somewhere:

)

Nope.

It seems to be findable by doing either

1
2
3

Login-AzureRmAccount -SubscriptionId <your subscription id>;
$spn=(Get-AzureRmADServicePrincipal -SPN <the application id>);
echo $spn.Id

or

1

az ad sp list --spn <the application id>

Then look for ObjectId